Outgoing notifications: "Okta is currently experiencing a trust event that potentially affects your organization."
Is that we're calling it now? A trust event?
Everytime I bump into Apple security friends at cons, I ask them to peek at my iOS settings for red-flags. The first place they tap is to look at installed configuration profiles
"An unauthenticated attacker could call a method on the LSARPC interface and coerce the domain controller to authenticate to the attacker using NTLM..."
Fresh Windows 0day (CVE-2022-26925)
Azure Backdoors: How to Hide Them, How to Find Them
Conclusion: "There has never been a better time than right now to get involved in Azure abuse research."
Watch the
@_wald0
talk:
Slides:
Pretty significant Project Zero findings 🩹
18 zero-days in Samsung Exynos chipsets, some nasty enough to cause "Internet-to-baseband remote code execution" with no user interaction.
Attacker only needs victim's phone number 👩
Quick story:
Microsoft Patch Tuesday is a doozy this month:
- 114 documented CVEs
- 4 critical MS Exchange Server vulns
- 2 pre-auth code execution vulns found by NSA
- 1 in-the-wild 0day found by Kaspersky ninja
@oct0xor
- 0 Pwn2Own bugs fixed
An all-female edition of new CISO hirings
- Latha Maripuri (formerly NewsCorp) is new Uber CISO
- Nike's Jameeka Green Aaron is the new CISO at Auth0
- Laura Deaner is new CISO at Northwestern Mutual
- Ally Miller (former BofA) is the new CISO at Reddit
A big win for sharing IOCs:
"On October 13, 2023, BeyondTrust provided Okta Security a suspicious IP address attributed to the threat actor. With this indicator, we identified the additional file access events associated with the compromised account."
Security headlines over the past 2-3 days:
- Two Apple iOS, macOS zero-days
- Adobe PDF Reader 0day exploited
- Cisco ASA 0day exploited in Akira ransomware
- Google patches Chrome 0-da reported by Apple
- Microsoft Patches 2 New Exploited zero-days
Stay blessed.
Orange Tsai (
@orange_8361
) at Black Hat:
"Fun fact - even you found a super critical bug like ProxyLogon, Microsoft will not reward you any bounty because Exchange Server On-Prem is out of scope."
0days everywhere 👀
Cloudflare, Google and AWS on a new zero-day named ‘HTTP/2 Rapid Reset’ being exploited by malicious actors to launch "the largest distributed denial-of-service (DDoS) attacks in internet history"
<- reporting by
@EduardKovacs
Netflix VP of Information Security with tons of good advice for security marketers, including this one I see everywhere:
"Don’t offer me a gift card, gift, or cash in exchange for a meeting. Just no."
NEW! DARPA program manager Perri Adams chats about her love for CTF hacking competitions and the hunt for leapfrog security technologies in the AI cyber challenge
<-- episode sponsored by
@binarly_io
*New live hack demo video*
CNN’s
@donie
asked me to hack him again at
@defcon
— hacked him last time thru service provider call center attacks, but this time I intruded using the easiest method: reused passwords found in data breaches.
Here’s the breakdown.
CVE-2021-22555 is a 15-yr-old heap out-of-bounds write vuln in Linux Netfilter. It was used to break the kubernetes pod isolation of the kCTF cluster and won $20K for charity
I asked DEF CON CTF organizer Perri Adams about the make-up of a good capture-the-flag player and for recommendations for someone now getting started
@perribus
New Windows 0day in the wild
"Microsoft is aware of limited targeted attacks that could leverage unpatched vulnerabilities in the Adobe Type Manager Library..."
Advisory with pre-patch workarounds here
New! A fun conversation with Google Project Zero's Maddie Stone (
@maddiestone
) on 0days, disclosure transparency, memory safety vulns, exploit/samples sharing, and more...
🔥 NEW podcast alert: Costin Raiu digs into why he left the GReAT team after 13 years at the helm, ethical questions on exposing certain APT operations, changes in the nation-state malware attribution game, the most technically impressive attacks, the 'dark spots' where
Google in 2008: A new approach to browser security: the Chrome Sandbox
Google now: Sandboxing is expensive…Sandboxing doesn’t eliminate vulnerabilities from the code.
I wrote about the death of the sandbox:
HashiCorp has confirmed it is a victim of the Codecov supply chain attack
The GPG private key used to sign hashes to validate product downloads was exposed
Apple iOS
#FacePalm
patch is live
Two bug finders credited:
CVE-2019-6223: Grant Thompson of Catalina Foothills High School, Daven Morris of Arlington, TX
🎙 New podcast with Shubs Shah (
@infosec_au
), an Aussie hacker who mastered the bug bounty hacking game and is now rewriting the rules of continuous pre-hack reconnaissance.
Enjoy
🥰 DARPA's Dr Sergey Bratus shows love to hackers!
"If you want to understand how systems work or how to break them, go to DEF CON or read Phrack."
@sergeybratus
@DARPA
NSA's Rob Joyce (
@RGB_Lights
) at Enigma 2016:
"There’s a reason it’s called advanced persistent
threats. Because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait, right? We’re looking for that opening and that opportunity, to finish the mission."
Ian Beer: “I shan't get into a discussion of whether these exploits cost $1 million, $2 million, or $20 million. I will instead suggest that all of those price tags seem low for the capability to target and monitor the private activities of entire populations in real time.”
Another significant software supply chain hack: Codecov Bash Uploader breach went undetected for four months as attackers stole credentials, tokens and keys from orgs around the world
Ukrainian CERT credited with the MS Outlook 0day, suggesting this is gov-level APT activity
"This could lead to exploitation BEFORE the email is viewed in the Preview Pane."
With all the zero-day exploit chatter, I'm republishing this 2013 podcast interview with VUPEN/Zerodium CEO Chaouki Bekrar.
I believe it's the only podcast interview
@cBekrar
has granted and I'd glad I'm able to salvage it for the public record:
This line still freaks me out (from Mandiant's APT1 report):
"The longest time period APT1 maintained
access to a victim’s network was 1,764 days, or four years and ten months."
The billionaire chief executive of WhatsApp, Jan Koum, is planning to leave the company after clashing with its parent, Facebook, over the popular messaging service’s strategy and Facebook’s attempts to use its personal data and weaken its encryption